Introduction
Critical infrastructure faces a myriad of cyber threats, including vulnerabilities, ransomware, and nation-state attacks, with recent discoveries highlighting significant risks posed by vulnerabilities in devices such as the Honeywell IQ4x BMS Controller and Apeman Cameras. The emergence of new malware and threat actor activity further exacerbates these risks. Successful exploitation could allow unauthorized access, data theft, or denial-of-service conditions, with the stakes being high. According to CISA, nation-state attacks are on the rise, targeting critical infrastructure and emphasizing the need for proactive defense strategies. These attacks can result in significant financial losses, disruption of essential services, and even loss of life. It is essential for organizations to understand these risks and take immediate action to protect their critical infrastructure.
Active Exploitation of Critical Infrastructure
The Honeywell IQ4x BMS Controller and Apeman Cameras vulnerabilities pose significant risks to critical infrastructure. Successful exploitation of these vulnerabilities could allow an unauthorized attacker to access controller management settings, control components, disclose information, or cause a denial-of-service condition. The Honeywell IQ4x building management controller exposes its full web-based HMI without authentication in its factory-default configuration, granting read/write privileges to any party able to reach the HTTP interface. This vulnerability is tracked as CVE-2026-3611. The affected versions of the Honeywell IQ4x BMS Controller include:
IQ4E >= Firmware_v3.50_3.44 | < 4.36_build_4.3.7.9IQ412 >= Firmware_v3.50_3.44 | < 4.36_build_4.3.7.9IQ422 >= Firmware_v3.50_3.44 | < 4.36_build_4.3.7.9IQ4NC >= Firmware_v3.50_3.44 | < 4.36_build_4.3.7.9IQ41x >= Firmware_v3.50_3.44 | < 4.36_build_4.3.7.9IQ3 >= Firmware_v3.50_3.44 | < 4.36_build_4.3.7.9IQECO >= Firmware_v3.50_3.44 | < 4.36_build_4.3.7.9Apeman Cameras are affected by multiple vulnerabilities, including insufficiently protected credentials, cross-site scripting, and missing authentication for critical functions, tracked asCVE-2025-11126,CVE-2025-11851, andCVE-2025-11852. The affected versions of Apeman Cameras includeID71 vers: all/*. CISA recommends immediate action to minimize network exposure and implement secure remote access methods, such as Virtual Private Networks (VPNs), to mitigate these risks.
New Malware and Threat Actor Activity
Russian-speaking threat actors are targeting HR departments with BlackSanta EDR killer malware, a new EDR killer that has been spotted in the wild for over a year, according to BleepingComputer. This malware is designed to evade detection by traditional security controls, making it a significant threat to organizations that rely on endpoint detection and response (EDR) systems to protect their networks. Additionally, a new BeatBanker Android malware poses as a Starlink app to hijack devices, tricking users into installing it by masquerading as the official Google Play Store, as reported by BleepingComputer. Microsoft Teams phishing campaigns are also deploying A0Backdoor malware, with hackers contacting employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access, according to BleepingComputer. The Sednit threat actor, known for its advanced persistent threat (APT) capabilities, has resurfaced with a sophisticated new toolkit, as reported by Dark Reading.
Technical Details and Affected Systems
The Honeywell IQ4x BMS Controller is a building management system (BMS) that controls and monitors various building systems, such as HVAC, lighting, and security. The Apeman Cameras are IP cameras used for surveillance and monitoring. Both systems are critical infrastructure that can significantly impact the safety and security of individuals and organizations. The BlackSanta EDR killer malware targets EDR systems, which detect and respond to endpoint threats. The BeatBanker Android malware poses as a legitimate app to hijack devices, making it a significant threat to mobile devices. The A0Backdoor malware is used to gain remote access to systems, posing a significant threat to organizations using Microsoft Teams for communication.
Mitigation Guidance
To protect critical infrastructure from these threats, security practitioners should take the following steps:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Use secure remote access methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available.
- Implement recommended cybersecurity strategies for proactive defense of ICS assets, such as those outlined by CISA.
- Perform proper impact analysis and risk assessment prior to deploying defensive measures.
- Stay informed about the latest threats and vulnerabilities, and take action to mitigate them, such as:
- Updating Honeywell IQ4x BMS Controller to a version that fixes the
CVE-2026-3611vulnerability. - Avoiding Apeman Cameras until the vendor releases patches for the
CVE-2025-11126,CVE-2025-11851, andCVE-2025-11852vulnerabilities. - Being cautious of Microsoft Teams phishing campaigns and avoiding granting remote access to unknown parties.
- Keeping Android devices and apps up to date to prevent BeatBanker malware infections.
- Implementing security controls to detect and prevent BlackSanta EDR killer malware, such as using anti-virus software capable of detecting and removing the malware, implementing a robust endpoint detection and response (EDR) system, and conducting regular security audits and risk assessments to identify vulnerabilities.
- Updating Honeywell IQ4x BMS Controller to a version that fixes the
- Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
- Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Recommendations and Takeaways
In conclusion, threats to critical infrastructure are real and significant. Organizations must take immediate action to protect their critical infrastructure from these threats. By understanding the risks and taking proactive measures, organizations can reduce the risk of exploitation and protect their critical infrastructure. Key takeaways include:
- Critical infrastructure is under siege from various cyber threats, including vulnerabilities, ransomware, and nation-state attacks.
- The Honeywell IQ4x BMS Controller and Apeman Cameras vulnerabilities pose significant risks to critical infrastructure.
- New malware and threat actor activity, such as BlackSanta EDR killer, BeatBanker Android malware, and A0Backdoor malware, are emerging and pose significant threats to organizations.
- Organizations must take proactive measures to protect their critical infrastructure, including minimizing network exposure, using secure remote access methods, and implementing recommended cybersecurity strategies.
- Staying informed about the latest threats and vulnerabilities, and taking action to mitigate them, is crucial to protecting critical infrastructure.
